BKDR_SIMDA.SMEP

This malware family takes its name from the SIMDA botnet operations, which was taken down in April 2015.

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes then deletes itself afterward.

It connects to a website to send and receive information.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following files:

• %User Profile%\Application Data\{random}.reg
• %User Profile%\Application Data\mcp.ico
• %User Profile%\Application Data\Mozilla\Firefox\Profiles\{random}\searchplugins\search.xml
• %Desktop%\Computer.lnk
• %User Temp%\{random}.sys
• %User Temp%\{random}-{random}.exe
• %User Temp%\{random number}.tmp
• %User Temp%\{random}.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %Desktop% is the desktop folder, where it usually is C:\Documents and Settings\{user name}\Desktop in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\Desktop in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following copies of itself into the affected system:

• %User Profile%\Application Data\ScanDisc.exe
• %User Profile%\Application Data\{random}.exe
• %User Temp%\{Random Number}.tmp

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It executes then deletes itself afterward.

Autostart Technique

This backdoor creates the following registry entries to enable automatic execution of dropped component at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\RunOnce
{random name} = "%User Profile%\Application Data\{random name}.exe"

Other System Modifications

This backdoor adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
ConsentPromptBehaviorAdmin = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
ConsentPromptBehaviorUser = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLUA = "0"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows
update = "shortcut"

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\
Interfaces\{GUID}
NameServer = "8.8.8.8"

(Note: The default value data of the said registry entry is "".)

Backdoor Routine

This backdoor connects to the following websites to send and receive information:

• {BLOCKED}9.{BLOCKED}6.87.106
• report.{pseudorandom}.com
• update.{pseudorandom}.com
• {BLOCKED}9.{BLOCKED}3.196.94
• {BLOCKED}9.{BLOCKED}7.173.222
• {BLOCKED}9.{BLOCKED}6.66.239
• {BLOCKED}.{BLOCKED}9.248.152
• {BLOCKED}9.{BLOCKED}6.66.239

Download Routine

This backdoor connects to the following website(s) to download and execute a malicious file:

• http://update1.{BLOCKED}exefeed.eu/?abbr=RTK&action=download&setupType=umx&setupFileName=process_64.exe
• http://update1.{BLOCKED}exefeed.eu/?abbr=RTK&action=download&setupType=um32&setupFileName=process_32.exe

HOSTS File Modification

This backdoor modifies the system's HOSTS files to redirect users once the following Web site(s) are accessed:

• www.bing.com:{BLOCKED}.{BLOCKED}.68.97
• bing.com:{BLOCKED}.{BLOCKED}.68.97
• gr.bing.com:{BLOCKED}.{BLOCKED}.68.97
• ir.bing.com:{BLOCKED}.{BLOCKED}.68.97
• gb.bing.com:{BLOCKED}.{BLOCKED}.68.97
• dk.bing.com:{BLOCKED}.{BLOCKED}.68.97
• au.bing.com:{BLOCKED}.{BLOCKED}.68.97
• ro.bing.com:{BLOCKED}.{BLOCKED}.68.97
• ca.bing.com:{BLOCKED}.{BLOCKED}.68.97
• pt.bing.com:{BLOCKED}.{BLOCKED}.68.97
• it.bing.com:{BLOCKED}.{BLOCKED}.68.97
• de.bing.com:{BLOCKED}.{BLOCKED}.68.97
• es.bing.com:{BLOCKED}.{BLOCKED}.68.97
• tr.bing.com:{BLOCKED}.{BLOCKED}.68.97
• hu.bing.com:{BLOCKED}.{BLOCKED}.68.97
• br.bing.com:{BLOCKED}.{BLOCKED}.68.97
• cz.bing.com:{BLOCKED}.{BLOCKED}.68.97
• ie.bing.com:{BLOCKED}.{BLOCKED}.68.97
• ch.bing.com:{BLOCKED}.{BLOCKED}.68.97
• nl.bing.com:{BLOCKED}.{BLOCKED}.68.97
• se.bing.com:{BLOCKED}.{BLOCKED}.68.97
• no.bing.com:{BLOCKED}.{BLOCKED}.68.97
• at.bing.com:{BLOCKED}.{BLOCKED}.68.97
• fi.bing.com:{BLOCKED}.{BLOCKED}.68.97
• fr.bing.com:{BLOCKED}.{BLOCKED}.68.97
• pl.bing.com:{BLOCKED}.{BLOCKED}.68.97
• search.yahoo.com:{BLOCKED}.{BLOCKED}.186.249
• www.search.yahoo.com:{BLOCKED}.{BLOCKED}.186.249
• gr.uk.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• ir.uk.search.yahoo.com:{BLOCKED}.{BLOCKED}.239.84
• uk.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• dk.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• au.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• ro.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• ca.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• pt.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• it.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• de.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• es.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• tr.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• hu.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• br.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• cz.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• ie.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• ch.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• nl.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• se.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• no.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• fr.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• pl.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• mx.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• search.yahoo.co.jp:{BLOCKED}.{BLOCKED}.112.8.
• gr.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• malaysia.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• vn.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• cl.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• id.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• in.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• co.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• ph.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• nz.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• ve.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• ar.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• fi.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• th.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• sg.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• ch.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• at.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• za.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• cn.search.yahoo.com:{BLOCKED}.{BLOCKED}.112.8
• www.google-analytics.com:{BLOCKED}.{BLOCKED}.87.101
• google-analytics.com:{BLOCKED}.{BLOCKED}.87.101
• connect.facebook.net:{BLOCKED}.{BLOCKED}.87.101
• ::1 localhost
• google-analytics.com
• bing.com
• connect.facebook.net

Information Theft

This backdoor gathers the following data:

• Volume Information
• Language Information
• Computer Name
• Network Adapter
• SusClientId
• Product Id
• Windows Install Date

Other Details

This backdoor checks for the presence of the following process(es):

• vba32arkit.exe
• cv.exe
• irise.exe
• IrisSvc.exe
• wireshark.exe
• dumpcap.exe
• ZxSniffer.exe
• Aircrack-ng Gui.exe
• observer.exe
• tcpdump.exe
• WinDump.exe
• wspass.exe
• Regshot.exe
• ollydbg.exe
• PEBrowseDbg.exe
• windbg.exe
• DrvLoader.exe
• SymRecv.exe
• Syser.exe
• apis32.exe
• VBoxService.exe
• VBoxTray.exe
• SbieSvc.exe
• SbieCtrl.exe
• SandboxieRpcSs.exe
• SandboxieDcomLaunch.exe
• SUPERAntiSpyware.exe
• ERUNT.exe
• ERDNT.exe
• EtherD.exe
• Sniffer.exe
• CamtasiaStudio.exe
• CamRecorder.exe

NOTES:

This backdoor tries to open a file %System Root%\cgvi5r6i\vgdgfd.72g, which may contain shell commands.

It checks for the existence of the following registries.

• HKEY_CURRENT_USER\Software\CommView
• HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Services\IRIS5
• HKEY_CURRENT_USER\Software\eEye Digital Security
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wireshark.exe
• HKEY_CURRENT_USER\SOFTWARE\ZxSniffer
• HKEY_CURRENT_USER\SOFTWARE\Cygwin
• HKEY_CURRENT_USER\SOFTWARE\Cygwin
• HKEY_CURRENT_USER\SOFTWARE\B Labs\Bopup Observer
• HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Bopup Observer
• HKEY_CURRENT_USER\Software\B Labs\Bopup Observer
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win Sniffer_is1
• HKEY_CURRENT_USER\Software\Win Sniffer
• HKEY_CURRENT_USER\SOFTWARE\Classes\PEBrowseDotNETProfiler.DotNETProfiler
• HKEY_CURRENT_USER\Software\Microsoft\tVersion\Explorer\MenuOrder\Start \Debugging Tools for Windows (x86)
• HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Services\SDbgMsg
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\der\Start Menu2\Programs\APIS32.
• HKEY_CURRENT_USER\Software\Syser Soft
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\APIS32
• HKEY_CURRENT_USER\SOFTWARE\APIS32
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBoxGuest Additions
• HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Services\VBoxGuest
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\tVersion\Uninstall\Sandboxie
• HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Services\SbieDrv
• HKEY_CURRENT_USER\Software\Classes\Folder\shell\sandbox
• HKEY_CURRENT_USER\Software\Classes\*\shell\sandbox
• HKEY_CURRENT_USER\SOFTWARE\SUPERAntiSpyware.com
• HKEY_CURRENT_USER\SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASCon.1
• HKEY_CURRENT_USER\SOFTWARE\SUPERAntiSpyware.com
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ERUNT_is1
• HKEY_CURRENT_USER\SYSTEM\ControlSet001\EnumRoot\LEGACY_TBN178D5\0000
• HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\services\tbn178d5\DisplayName
• HKEY_CURRENT_USER\SYSTEM\ControlSet001\services\tbn178d5
• HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBN178D5\0000

It also checks for loaded libraries:

• SBIEDLL.DLL
• SBIEDLLX.DLL
• DBGHELP.DLL

It also checks if the following information are equal:

• Computer Name = Sandbox
• User name = CurrentUser
• File name = file.exe

When a number of conditions are met, the malware executes an infinite loop.

It appends the legitimate file %User Profile%\Application Data\Mozilla\Firefox\Profiles\{random}\prefs.js with user_pref("browser.search.selectedEngine", "http://www.bing.com/search?q={searchTerms}");